Security

Nephra runs on Digital Ocean App Platform with compute isolated per customer request. Our database is hosted by Supabase (PostgreSQL) in the EU (Frankfurt).

All systems are protected by a Web Application Firewall and DDoS mitigation provided by Cloudflare.

Data at rest: AES-256-GCM for all database fields containing personal or clinical data.

Data in transit: TLS 1.2 or higher enforced on all connections. HTTP is redirected to HTTPS.

Authentication tokens: Supabase Auth issues short-lived JWTs signed with ES256. Tokens are validated server-side on every request.

Nephra uses role-based access control (RBAC) with five distinct roles: Admin, Doctor, Nurse, Operator, and Patient. Each role has a least-privilege set of permissions enforced at the API layer.

All admin access to production infrastructure requires multi-factor authentication.

Every write operation on clinical data is recorded in an append-only audit log with user ID, timestamp, and action type. Logs are retained for a minimum of 7 years.

If you discover a security vulnerability, please report it responsibly to [email protected]. We aim to acknowledge reports within 2 business days and provide a fix timeline within 10 business days for critical issues.

We do not pursue legal action against researchers who act in good faith under this policy.

SOC 2 Type II audit is currently in progress. We expect to complete it in late 2026. Contact us for the latest status.